NPM author name parsing can crash if package.json contains an array of authors #960
Comments
|
We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story. The labels on this github issue will be updated when the story is started. |
|
FWIW, here's a quick "belt and suspenders" solution that does both: def author_names
names = []
if @json['author'].is_a?(Array)
# "author":["foo","bar"] isn't valid according to the NPM package.json schema, but can be found in the wild.
names += @json['author'].map { |a| author_name(a) }
else
names << author_name(@json['author']) unless @json['author'].nil?
end
names += @json['contributors'].map { |c| author_name(c) } if @json['contributors'].is_a?(Array)
names.compact.join(', ')
rescue TypeError
puts "Warning: Invalid author and/or contributors metadata found in package.json for #{@identifier}"
nil
end |
|
Hey @ikaronen-relex ! Someone made a PR for this #959 but I do like how your solution as well. I think this is more clean so I asked them to update it to this method |
tomcornelis
added a commit
to tomcornelis/LicenseFinder
that referenced
this issue
Jan 5, 2023
tomcornelis
added a commit
to tomcornelis/LicenseFinder
that referenced
this issue
Jan 5, 2023
|
I believe this can be closed now that #959 has been merged. |
|
Thank you for the guidance and updates.
Cheers!
Nbaules
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
…________________________________
From: Ilmari Karonen ***@***.***>
Sent: Thursday, January 4, 2024 10:19:42 AM
To: pivotal/LicenseFinder ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [pivotal/LicenseFinder] NPM author name parsing can crash if package.json contains an array of authors (Issue #960)
I believe this can be closed now that #959<#959> has been merged.
—
Reply to this email directly, view it on GitHub<#960 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AECNY5WRYKRZSEZRQS4KV43YMX7S5AVCNFSM6AAAAAATBTBTUGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZWGE4DCNZYGY>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi! While upgrading some dependencies in our project, I noticed that our build process (which automatically runs this gem) crashes after upgrading to LicenseFinder v7.1.0.
This happens because one of our NPM dependencies (https://github.com/chenglou/react-motion) contains
"author": ["nkbt", "chenglou"]in its package.json. The author metadata parsing introduced in 78fc9ab doesn't expect the value of this field to be an array and crashes with a TypeError:To be fair, this package.json is invalid according to the NPM documentation, which says that multiple authors should be listed under
contributors, and I've already reported it at chenglou/react-motion#630. Nonetheless it's still found in the wild (and this might not be the only case) and probably shouldn't crash LicenseFinder completely. Either theauthor_namesmethod should be tweaked to accept this syntax, or at least the TypeError (and other possible errors caused by such invalid package metadata) should be rescued and handled gracefully.The text was updated successfully, but these errors were encountered: